Former student pleads guilty to hacking school payroll data

He gets 10 years; Vancouver district employees put at risk

By Howard Buck, Columbian staff writer

Published:

 

A 21-year-old former Evergreen Public Schools student has pleaded guilty to criminal charges in connection with a computerized payroll security breach in November that put more than 5,000 past and current Vancouver Public Schools employees at risk of identity theft.

Christopher Berge, a 2006 Mountain View High School graduate last known to live in Oregon City, Ore., was sentenced to 10 years in prison on Wednesday by Clark County Superior Court Judge Roger Bennett.

Berge pleaded guilty to 31 counts, including 24 counts of second-degree identity theft, first-degree computer trespass, forgery and possession of methamphetamine.

Authorities said the identity theft counts relate to 24 victims who either had fraudulent credit cards set up in their name or whose personal information was obtained by Berge but not compromised.

No school employees have reported any loss, Vancouver district officials said.

But they also estimate the district is out about $30,000 in direct and indirect costs incurred to investigate the breach and develop procedures to prevent a recurrence.

Berge has been jailed since his arrest in November.

A restitution hearing has not yet been scheduled.

The news was announced late Wednesday by e-mail from Vancouver Superintendent Steve Webb to district administrators, and passed to employees on Thursday. Webb wrote that the pleas brought “closure” to the data breach uncovered Nov. 9.

Webb’s e-mail said Berge had “shoulder-surfed” a password from an Evergreen school employee while still a student there.

That password gained him entry to Evergreen’s student records system and, later, Vancouver Public Schools’ payroll data accessed on hardware run by the Washington School Information Processing Cooperative, physically housed at Educational Service District 112 headquarters in Vancouver.

The data included personal information, such as names, dates of birth, Social Security numbers and other banking information for the 3,300-plus current Vancouver Public Schools workers, and an additional 1,900 past employees.

Berge first gained access to Evergreen’s computer system in August, “but didn’t get anything useful for committing crimes,” said Mike Vaughn, Clark County deputy prosecutor.

Three months passed before Berge used Evergreen’s computer system to open an account and gain entry to the Vancouver data. Vaughn suspects Berge made several attempts to hack and stake out Vancouver’s system before actually obtaining the personal information, he said.

Berge then used several employees’ information to open credit car accounts, establish mail drops and make fraudulent checks on Nov. 7, Vaughn said. He was caught the next day after he tried to pass one of the fraudulent checks at the Fred Meyer store in Hazel Dell.

Vaughn said an employee found the check suspicious and alerted police, who made the arrest. This came hours after Berge apparently tried to cash another fake check at the Salmon Creek Fred Meyer store.

“He very quickly went to work with the information he had,” Vaughn said. “However, he was not sophisticated in how he tried to cash the checks … They weren’t well-done counterfeits.”

The following day, Nov. 9, the Vancouver district alerted all 5,200 people at risk to notify their banks, credit unions and credit card companies. Many individuals quickly canceled and changed accounts.

Fraud prevention costs

The district also spent $31,000 to purchase fraud prevention and resolution services to cover any personal losses (with $10,000 paid by the district’s own insurance). That policy runs through this Nov. 9.

Steve Olsen, Vancouver district business director, said there have been no further “hits” on employee accounts since Berge’s arrest. “We’ve heard of nothing, seen nothing, since,” he said.

Meantime, password protocols and other security measures have been tightened at all local school districts serviced by WSIPC, Olsen said.

WSIPC is an Everett-based, nonprofit cooperative that oversees student and fiscal software for 282 of Washington’s 295 school districts. It has reimbursed Vancouver about $32,000 for extra labor and other costs directly tied to the breach.

Ongoing district expense includes higher payroll costs since many employees dropped direct deposit, Olsen said.

“This caused a huge mess,” he said. “It panicked so many people. They closed bank accounts and opened new ones; we had a ton of people walk away from direct deposits.”

Despite Webb’s allusion to “closure,” at least one affected couple isn’t yet at ease.

The e-mail is “not terribly reassuring. We’re still quite concerned about identity theft,” said Doug Batchelor, 62, a retired postal worker whose wife, Bernell, is a Skyview High School para-educator.

Batchelor said the couple changed their bank account and redirected her direct deposits, and their credit union continues to monitor for unusual account activity.

“It really heightens the anxiety over this thing,” he said of the November breach. “You feel terribly compromised when something like this happens.”

Columbian staff writer Laura McVicker contributed to this story.